My theory about Apple's "Limit precise location from cellular networks" feature
It seems Apple is releasing a new privacy feature exclusive to iPhones with an Apple-designed modem:
There are no details about how it works, so for now this is only an educated guess, but since I did a lot of research into LTE and 5G documentation to put it together for a Privacy Guides forum discussion, I'm going to quick note my guesswork down here with my sources for my own future reference.
My guess is, mostly based on the TA_RANDOMIZATION_-prefixed keys the developers are using for this setting…
…that Apple will hinder cell tower triangulation somewhat by randomizing the Timing Advance value.
This makes some sense. Cell tower triangulation relies on also receiving data from your device, which obviously your device has a bit of control over. This is why GPS satellites can’t learn your location, since they’re one-way signals.
Background
To understand how this could work, you’ll have to understand two things:
First: In cellular networks, the Timing Advance (TA) value is used to prevent intersymbol interference (ISI) by basically synchronizing all the phones that are connected to the tower so that the tower receives all the transmissions at the same time.
Importantly, your TA value is a variable the cell network needs to know, in addition to other variables, to triangulate your location.
In LTE, each TA interval represents a multiple of ~78 meters. Whereas in 5G there are 7 different types of numerology (SCS), pretty much all of which are even more granular, like in 30 kHz SCS then the TA would represent a multiple of ~40 meters, or in 120 kHz SCS a multiple of ~10 meters.
So… clearly when it comes to 5G, location privacy is more of a concern, as it allows for more precision.
Second: There is another timing factor called the Cyclic Prefix, which is basically a guard interval that is added to the start of each symbol, which also combats ISI, but ISI which is caused by delay spread due to multipath propagation of radio signals.
The cyclic prefix is much larger than the TA unit, think like it can absorb a delay of around 5 microseconds, while each TA unit represents around 0.5 microseconds or less.
So what?
This discrepancy means that an iPhone has some wiggle-room to adjust its TA value around a few units, and if the signal with an incorrect TA still arrives at the tower within the same cyclic prefix, the tower should still be able to successfully decode the data.
The tower would see the TA is wrong, and send a command to the phone to fix the TA. Meanwhile, the iPhone would choose a new random offset for the TA of the next transmission and the process would repeat.
I think (?) the tower would always know the TA value it’s seeing is wrong somehow, but the wrong values would be randomly distributed so that the right distance couldn’t be accurately determined.
What I don't see is how this can't have some performance impact, but maybe a 10% difference on modern networks will not be super noticeable.
Carrier support
I think this explains why only Boost Mobile supports this in the USA.
The cellular network is going to see a lot of deviations in the signals it receives, which it would typically interpret as hardware or signal failures. The carrier could modify their network to broaden the limits of what it considers acceptable though.
Boost Mobile uses exclusively 5G hardware since they have no legacy towers, and their whole network stack is software-defined, so they could add support for Apple’s changes across the whole network very easily.
Legacy carriers will probably have to fully replace their old hardware to support this (which they’re doing, so maybe we’ll see this eventually).
Also, given that the article says the level of precision will only change from street address level to neighborhood level, and the Timing Advance value is kind of important for latency and preventing interference, the randomization must be fairly small, so this theory makes sense to me.
Layer 1 privacy
If all this is true then it’s actually a neat privacy trick on the Layer 1/2 level to prevent cell tower triangulation.
The problem with my theory is that I cannot find a single academic or standards paper which describes any sort of “TA randomization,” which seems strange to me.
If all of this were true, I would think there would be public research surrounding it before Apple just decides to throw it in iOS 26.3. However, I did find a lot of papers (linked above) which demonstrate that TA values are a significant privacy problem in general, so it seems to make sense to try to tackle.
It’s very possible that TA_RANDOMIZATION_ refers to something else entirely with the initials TA, or TA are just random letters Apple is using. I couldn’t find anything else that TA could likely mean though, and my theory makes sense to me, so I’m sticking with it.
However, all this being said, if cell networks can indeed routinely just ask your phone for GPS data, I’m not quite sure how much of an advantage all of this grants you 🙂
P.S. Another thing I learned tonight is that in LTE, your TA value is transmitted unencrypted.
So literally anyone in the middle who can sniff your wireless traffic could find your TA value, gather your IMSI, and determine/track your location. I think this remains true for 5G, but don’t quote me on that.
TA randomization would fix this problem too though, so Apple adding this is actually a nice protection against IMSI catchers 👍
